github.com/fafucoder/cilium@v1.6.11/Documentation/cmdref/cilium-agent.md (about) 1 <!-- This file was autogenerated via cilium-agent --cmdref, do not edit manually--> 2 3 ## cilium-agent 4 5 Run the cilium agent 6 7 ### Synopsis 8 9 Run the cilium agent 10 11 ``` 12 cilium-agent [flags] 13 ``` 14 15 ### Options 16 17 ``` 18 --access-log string Path to access log of supported L7 requests observed 19 --agent-labels strings Additional labels to identify this agent 20 --allow-localhost string Policy when to allow local stack to reach local endpoints { auto | always | policy } (default "auto") 21 --annotate-k8s-node Annotate Kubernetes node (default true) 22 --auto-create-cilium-node-resource Automatically create CiliumNode resource for own node on startup (default true) 23 --auto-direct-node-routes Enable automatic L2 routing between nodes 24 --blacklist-conflicting-routes Don't blacklist IP allocations conflicting with local non-cilium routes (default true) 25 --bpf-compile-debug Enable debugging of the BPF compilation process 26 --bpf-ct-global-any-max int Maximum number of entries in non-TCP CT table (default 262144) 27 --bpf-ct-global-tcp-max int Maximum number of entries in TCP CT table (default 1000000) 28 --bpf-ct-timeout-regular-any duration Timeout for entries in non-TCP CT table (default 1m0s) 29 --bpf-ct-timeout-regular-tcp duration Timeout for established entries in TCP CT table (default 6h0m0s) 30 --bpf-ct-timeout-regular-tcp-fin duration Teardown timeout for entries in TCP CT table (default 10s) 31 --bpf-ct-timeout-regular-tcp-syn duration Establishment timeout for entries in TCP CT table (default 1m0s) 32 --bpf-ct-timeout-service-any duration Timeout for service entries in non-TCP CT table (default 1m0s) 33 --bpf-ct-timeout-service-tcp duration Timeout for established service entries in TCP CT table (default 6h0m0s) 34 --bpf-nat-global-max int Maximum number of entries for the global BPF NAT table (default 841429) 35 --bpf-policy-map-max int Maximum number of entries in endpoint policy map (per endpoint) (default 16384) 36 --bpf-root string Path to BPF filesystem 37 --cgroup-root string Path to Cgroup2 filesystem 38 --cluster-id int Unique identifier of the cluster 39 --cluster-name string Name of the cluster (default "default") 40 --clustermesh-config string Path to the ClusterMesh configuration directory 41 --config string Configuration file (default "$HOME/ciliumd.yaml") 42 --config-dir string Configuration directory that contains a file for each option 43 --conntrack-gc-interval duration Overwrite the connection-tracking garbage collection interval 44 --container-runtime strings Sets the container runtime(s) used by Cilium { containerd | crio | docker | none | auto } ( "auto" uses the container runtime found in the order: "docker", "containerd", "crio" ) (default [auto]) 45 --container-runtime-endpoint map Container runtime(s) endpoint(s). (default: --container-runtime-endpoint=containerd=/var/run/containerd/containerd.sock, --container-runtime-endpoint=crio=/var/run/crio/crio.sock, --container-runtime-endpoint=docker=unix:///var/run/docker.sock) (default map[]) 46 --datapath-mode string Datapath mode name (default "veth") 47 -D, --debug Enable debugging mode 48 --debug-verbose strings List of enabled verbose debug groups 49 -d, --device string Device facing cluster/external network for direct L3 (non-overlay mode) (default "undefined") 50 --disable-cnp-status-updates cnp-node-status-gc=false Do not send CNP NodeStatus updates to the Kubernetes api-server (recommended to run with cnp-node-status-gc=false in cilium-operator) 51 --disable-conntrack Disable connection tracking 52 --disable-endpoint-crd Disable use of CiliumEndpoint CRD 53 --disable-k8s-services Disable east-west K8s load balancing by cilium 54 -e, --docker string Path to docker runtime socket (DEPRECATED: use container-runtime-endpoint instead) (default "unix:///var/run/docker.sock") 55 --egress-masquerade-interfaces string Limit egress masquerading to interface selector 56 --enable-endpoint-health-checking Enable connectivity health checking between virtual endpoints (default true) 57 --enable-endpoint-routes Use per endpoint routes instead of routing via cilium_host 58 --enable-health-checking Enable connectivity health checking (default true) 59 --enable-host-reachable-services Enable reachability of services for host applications (beta) 60 --enable-ipsec Enable IPSec support 61 --enable-ipv4 Enable IPv4 support (default true) 62 --enable-ipv6 Enable IPv6 support (default true) 63 --enable-k8s-event-handover Enable k8s event handover to kvstore for improved scalability 64 --enable-l7-proxy Enable L7 proxy for L7 policy enforcement (default true) 65 --enable-node-port Enable NodePort type services by Cilium (beta) 66 --enable-policy string Enable policy enforcement (default "default") 67 --enable-tracing Enable tracing while determining policy (debugging) 68 --enable-xt-socket-fallback Enable fallback for missing xt_socket module (default true) 69 --encrypt-interface string Transparent encryption interface 70 --encrypt-node Enables encrypting traffic from non-Cilium pods and host networking 71 --endpoint-interface-name-prefix string Prefix of interface name shared by all endpoints (default "lxc+") 72 --endpoint-queue-size int size of EventQueue per-endpoint (default 25) 73 --envoy-log string Path to a separate Envoy log file, if any 74 --exclude-local-address strings Exclude CIDR from being recognized as local address 75 --fixed-identity-mapping map Key-value for the fixed identity mapping which allows to use reserved label for fixed identities (default map[]) 76 --flannel-manage-existing-containers Installs a BPF program to allow for policy enforcement in already running containers managed by Flannel. Require Cilium to be running in the hostPID. 77 --flannel-master-device string Installs a BPF program to allow for policy enforcement in the given network interface. Allows to run Cilium on top of other CNI plugins that provide networking, e.g. flannel, where for flannel, this value should be set with 'cni0'. [EXPERIMENTAL] 78 --flannel-uninstall-on-exit When used along the flannel-master-device flag, it cleans up all BPF programs installed when Cilium agent is terminated. 79 --force-local-policy-eval-at-source Force policy evaluation of all local communication at the source endpoint (default true) 80 -h, --help help for cilium-agent 81 --host-reachable-services-protos strings Only enable reachability of services for host applications for specific protocols (default [tcp,udp]) 82 --http-idle-timeout uint Time after which a non-gRPC HTTP stream is considered failed unless traffic in the stream has been processed (in seconds); defaults to 0 (unlimited) 83 --http-max-grpc-timeout uint Time after which a forwarded gRPC request is considered failed unless completed (in seconds). A "grpc-timeout" header may override this with a shorter value; defaults to 0 (unlimited) 84 --http-request-timeout uint Time after which a forwarded HTTP request is considered failed unless completed (in seconds); Use 0 for unlimited (default 3600) 85 --http-retry-count uint Number of retries performed after a forwarded request attempt fails (default 3) 86 --http-retry-timeout uint Time after which a forwarded but uncompleted request is retried (connection failures are retried immediately); defaults to 0 (never) 87 --identity-allocation-mode string Method to use for identity allocation (default "kvstore") 88 --identity-change-grace-period duration Time to wait before using new identity on endpoint identity change (default 5s) 89 --install-iptables-rules Install base iptables rules for cilium to mainly interact with kube-proxy (and masquerading) (default true) 90 --ip-allocation-timeout duration Time after which an incomplete CIDR allocation is considered failed (default 2m0s) 91 --ipam string Backend to use for IPAM 92 --ipsec-key-file string Path to IPSec key file 93 --iptables-lock-timeout duration Time to pass to each iptables invocation to wait for xtables lock acquisition (default 5s) 94 --ipv4-cluster-cidr-mask-size int Mask size for the cluster wide CIDR (default 8) 95 --ipv4-node string IPv4 address of node (default "auto") 96 --ipv4-pod-subnets strings List of IPv4 pod subnets to preconfigure for encryption 97 --ipv4-range string Per-node IPv4 endpoint prefix, e.g. 10.16.0.0/16 (default "auto") 98 --ipv4-service-loopback-address string IPv4 address for service loopback SNAT (default "169.254.42.1") 99 --ipv4-service-range string Kubernetes IPv4 services CIDR if not inside cluster prefix (default "auto") 100 --ipv6-cluster-alloc-cidr string IPv6 /64 CIDR used to allocate per node endpoint /96 CIDR (default "f00d::/64") 101 --ipv6-node string IPv6 address of node (default "auto") 102 --ipv6-pod-subnets strings List of IPv6 pod subnets to preconfigure for encryption 103 --ipv6-range string Per-node IPv6 endpoint prefix, must be /96, e.g. fd02:1:1::/96 (default "auto") 104 --ipv6-service-range string Kubernetes IPv6 services CIDR if not inside cluster prefix (default "auto") 105 --ipvlan-master-device string Device facing external network acting as ipvlan master (default "undefined") 106 --k8s-api-server string Kubernetes api address server (for https use --k8s-kubeconfig-path instead) 107 --k8s-kubeconfig-path string Absolute path of the kubernetes kubeconfig file 108 --k8s-require-ipv4-pod-cidr Require IPv4 PodCIDR to be specified in node resource 109 --k8s-require-ipv6-pod-cidr Require IPv6 PodCIDR to be specified in node resource 110 --k8s-watcher-endpoint-selector string K8s endpoint watcher will watch for these k8s endpoints (default "metadata.name!=kube-scheduler,metadata.name!=kube-controller-manager,metadata.name!=etcd-operator,metadata.name!=gcp-controller-manager") 111 --k8s-watcher-queue-size uint Queue size used to serialize each k8s event type (default 1024) 112 --keep-bpf-templates Do not restore BPF template files from binary 113 --keep-config When restoring state, keeps containers' configuration in place 114 --kvstore string Key-value store type 115 --kvstore-connectivity-timeout duration Time after which an incomplete kvstore operation is considered failed (default 2m0s) 116 --kvstore-opt map Key-value store options (default map[]) 117 --kvstore-periodic-sync duration Periodic KVstore synchronization interval (default 5m0s) 118 --label-prefix-file string Valid label prefixes file path 119 --labels strings List of label prefixes used to determine identity of an endpoint 120 --lb string Enables load balancer mode where load balancer bpf program is attached to the given interface 121 --lib-dir string Directory path to store runtime build environment (default "/var/lib/cilium") 122 --log-driver strings Logging endpoints to use for example syslog 123 --log-opt map Log driver options for cilium (default map[]) 124 --log-system-load Enable periodic logging of system load 125 --masquerade Masquerade packets from endpoints leaving the host (default true) 126 --metrics strings Metrics that should be enabled or disabled from the default metric list. (+metric_foo to enable metric_foo , -metric_bar to disable metric_bar) 127 --monitor-aggregation string Level of monitor aggregation for traces from the datapath (default "None") 128 --monitor-queue-size int Size of the event queue when reading monitor events 129 --mtu int Overwrite auto-detected MTU of underlying network 130 --nat46-range string IPv6 prefix to map IPv4 addresses to (default "0:0:0:0:0:FFFF::/96") 131 --node-port-range strings Set the min/max NodePort port range (default [30000,32767]) 132 --policy-queue-size int size of queues for policy-related events (default 100) 133 --pprof Enable serving the pprof debugging API 134 --preallocate-bpf-maps Enable BPF map pre-allocation (default true) 135 --prefilter-device string Device facing external network for XDP prefiltering (default "undefined") 136 --prefilter-mode string Prefilter mode { native | generic } (default: native) (default "native") 137 --prepend-iptables-chains Prepend custom iptables chains instead of appending (default true) 138 --prometheus-serve-addr string IP:Port on which to serve prometheus metrics (pass ":Port" to bind on all interfaces, "" is off) 139 --proxy-connect-timeout uint Time after which a TCP connect attempt is considered failed unless completed (in seconds) (default 1) 140 --read-cni-conf string Read to the CNI configuration at specified path to extract per node configuration 141 --restore Restores state, if possible, from previous daemon (default true) 142 --sidecar-istio-proxy-image string Regular expression matching compatible Istio sidecar istio-proxy container image names (default "cilium/istio_proxy") 143 --single-cluster-route Use a single cluster route instead of per node routes 144 --skip-crd-creation Skip Kubernetes Custom Resource Definitions creations 145 --socket-path string Sets daemon's socket path to listen for connections (default "/var/run/cilium/cilium.sock") 146 --sockops-enable Enable sockops when kernel supported 147 --state-dir string Directory path to store runtime state (default "/var/run/cilium") 148 --tofqdns-dns-reject-response-code string DNS response code for rejecting DNS requests, available options are '[nameError refused]' (default "refused") 149 --tofqdns-enable-poller Enable proactive polling of DNS names in toFQDNs.matchName rules. 150 --tofqdns-enable-poller-events Emit DNS responses seen by the DNS poller as Monitor events, if the poller is enabled. (default true) 151 --tofqdns-endpoint-max-ip-per-hostname int Maximum number of IPs to maintain per FQDN name for each endpoint (default 50) 152 --tofqdns-min-ttl int The minimum time, in seconds, to use DNS data for toFQDNs policies. (default 3600 when --tofqdns-enable-poller, 604800 otherwise) 153 --tofqdns-pre-cache string DNS cache data at this path is preloaded on agent startup 154 --tofqdns-proxy-port int Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. 155 --tofqdns-proxy-response-max-delay duration The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. (default 50ms) 156 --trace-payloadlen int Length of payload to capture when tracing (default 128) 157 -t, --tunnel string Tunnel mode {vxlan, geneve, disabled} (default "vxlan" for the "veth" datapath mode) 158 --version Print version information 159 --write-cni-conf-when-ready string Write the CNI configuration as specified via --read-cni-conf to path when agent is ready 160 ``` 161